Authentication Security

Account application#

  1. Submit an application for clientId and secret and distributorId to Huazhu-side mail to indicate the identity information of Caller

  2. The following information is required when applying:

  • (1) Caller: XXX Distributor
  • (2) IP source of test environment: IP address when test environment accesses <Huazhu authentication center>, which can support IP range segment
  • (3) IP source of production environment: IP address when the test environment accesses <Huazhu authentication center, which can support IP range segment

  1. After the examination and approval of the Huazhu side, provide the clientId and secret of the test environment

  2. After the research and development docking is completed, provide clientId and secret of the production environment. See Collaboration Launch Process for specific process

  3. Please keep the clientId and secret to avoid disclosure

Interface authentication#

OAuth2 authentication method

The design follows the IETF Internet Engineering Task Force published OAuth2 basic definition https://tools.ietf.org/html/rfc6749.

Instructions for use#

step 1. The client uses clientId and secret requests to generate token#

-The default validity period of a token is 3600 seconds. You can apply for a maximum validity period of 7200 seconds. -You need to reapply after the token expires, and apply for a new token before it expires. -Each application for a new token will invalidate the old token. In order to avoid the problem of invalidation of the old token during parallel requests in this scenario, the old token will not be invalidated immediately (buffer is currently 120s). -For multi-service multi-instance applications, it is necessary to implement central control management to share token among multiple instances-> it is recommended to refresh in advance (random seconds within 180~300) to avoid the loss caused by token competition in each business instance.

step 2. The client carries token information to request the service resource interface#

The token is transmitted in the request header, using the Bearer Authentication(Token Authentication).

Example#

1) Get Token. The credential after "Authorization: Basic" (with a space at the end) in the HTTP header is a string of clientId:secret, formatted in Base64 format

POST https://****<authservicedomain>****/oauth/token?scope=ALL&grant_type=client_credentials
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Get the result:

{"access_token":"abc********123","token_type":"Bearer","expires_in":3600,"scope":"ALL"}

2) carry Token set to Authorization: Bearer corresponding value, call the business interface, and the caller can view Token validity and remaining time (not yet open) through the interface provided by <Huazhu authentication center>

POST https://***<bizdomain>***/test
Authorization: Bearer abc********123

Protocol security#